A suspected security breach at popular UK-based biking site chainreactioncycles.com has been linked by victims to multiple instances of fraud.
Various bike enthusiast forums are alive with complaints (here and here) from customers of the site, several of whom are reporting unauthorised charges on their credit or debit cards. The …

COMMENTS

Page:

o2 is complicit

It's not just the scale of the fraud, it's the poor response by the retailer and the compicity of o2 that also need addressing.

If you read the very long thread here:

http://www.singletrackworld.com/forum/topic/crc-security-issues

You'll see several things:

1. The fraud has been taking place for several months and now runs into the hundreds of thousands of pounds range.

2. There's no confirmation (tyet) that the police are involved

3. A director of the retailer's ecommerce partner posted to the thread to blame the whole thing on ChainReactionCycles' customers not protecting their PCs

4. The "test purchases" at o2 take place because o2 have allowed their systems for at least 10 years to be used by fraudsters to test whether a card has "verified by visa" or similar associated with it - o2's systems allow the same card number to be used for an attempted purchase multiple times with the result that it can be re-used until the fraudster hits on the correct valid date for the card.

There's more coverage of o2's willingness to overlook a significant volume of fraudulent transactions made via their payment systems for more than 10 years here:

CRC's silence on this matter sucks...

This very subject also popped up in Bike Radar's Forums too, Most complainants were stung for £15 mobile top ups. Most of these fraudulent transactions were noted by the CC issuers and it seems as if most were refunded.

The Thread in relation to the CRC issues can be found here:

http://www.bikeradar.com/forum/viewtopic.php?t=12762610

Fortunately I (and many others) pay for our CRC purchases via PayPal and (obviously) have not been affected

What is alarming is CRC's silence on this matter, Fortunately the viral networking of the Forums has alerted most (would be) CRC customers to the issue.

Erm, buying durable goods via Paypal? Oh dear.

Unless I'm mistaken, if you buy something via Paypal, you've waived Sale Of Goods Act protections - your purchase is of Paypal "currency", not of the final item per se. You've also waived potential powerful protections from the Consumer Credit Act 1975, which state that the credit card provider is liable if the retailer for any reason doesn't honour its agreements (including those vv useful and powerful implicit agreements under SOGA which the layman may not be aware of).

In English, then: buy, say, a washing machine for £400 on paypal, it breaks after the one year warranty, oh dear. Buy it on a debit card, it breaks after a year, you've got a SOGA claim against the retailer on grounds of insufficient durability given the price. Buy it on a credit card, breaks after a year, you've got the SOGA claim, but if the retailer is bust or won't play ball, your credit card provider is liable to you - and will tend to cough up quick.

Credit card also an excellent protection against fraud, provided consumer acted with reasonable levels of care - I would doubt vv much that Paypal would ever come even vaguely close to the fraud protections provided by the UK's Consumer Credit Act.

Direct Debit

You don't wave these rights

But it usually requires a proper court to confirm this. When you buy something via paypal and at that very moment paypal charges your credit card, then it can be and is regarded as single transaction. (though banks will be rather unhelpful then and you need to go to court).

It's a different story of course if you top-up your paypal account at one time and then spend from it at a later moment.

@Puck

When you pay by paypal, paypal transfer money from your account to the sellers account. Simple. You're right in saying that you wouldn't be covered by the consumer credit act, but not for the reasons you seem to think. The reason you are not covered by the consumer credit act is that you have not paid by credit card, you have transferred money from one account to another - just like you would if you paid by debit card.

if you are lucky

If you are lucky you just get a few transactions on your card that can be reversed out.. However following the Lush hack my wife received a house insurance policy as they obviously had address, name as well as the card details. Typically the insurance company then wanted to charge a cancellation fee for a insurance policy never authorised in the first place! They got told to f*** off.

Maybe one day this kind of crime will be taken seriously, but the police dont care, credit companies just refund the money, retailers seem to get away without any investigation from the ICO and the victim is left with the stress and inconvinence.

Actually they don't care . .

I used to work for a bank fraud department. The Police don't care about card fraud, not a jot. The only credit card crime they will respond to is the actual manufacture of fake cards. Stolen details or someone going beserk with a stolen card don't interest them at all. The banks can report the crimes as much as they like and the Police response is along the lines of 'well, your products make it too easy for criminals, you sort it out' - which, of course, means that everyone pays and no-one ever gets nicked., except by accident.

Today's date being????

...the common theme of the fraudulent transactions was that they occurred between seven and 10 days after victims purchased goods from chainreactioncycles.com. Purchases at CRC between March 4 to 12 seem to be those most closely associated with subsequent fraud...

What to do with proceeds?

1) Weren't there also similar concerns about another major bike/sports bits retailer about a year ago? (Don't want to name names because I can't remember which one it was)

2) So, assuming I am the scammer, what do I do with the thousands of ten quid top ups? Do I go around selling them for a fiver to corner shops? Can I order real stuff using my prepaid credit balance? Can I divert inbound calling card calls through the mobiles with the stolen credit?

I can't see how the fraudsters benefit from the payg credit. Can someone explain?

Answers

1) Wiggle

2) As an earlier poster mentioned, the O2 pre-pay can be used as a test-bed until the scanners can confirm that the card works ok. CRC customers have also then been stung with large purchases from John Lewis, holidays etc.

It seems to be the banks automated fraud systems doing the saving work. It looks like their systems are going into high alert if CRC payments have been made recently, ready to shut the card down as soon as an O2 payment is made. CRC's response has been rather pitiful.

I got added to a spam list after buying from an online cycle retailer

About 3 years ago I bought cycle spares (probably a chain and or sprocket set) from a uk online retailer (Spa Cycles IIRC) using a unique-for-them personal email address. A month or two later I started receiving spam to that address - so clearly my email address leaked somewhere. Fortunately there wasn't any related fraudulent card activity.

infrastructure independently tested?

"Our own infrastructure is routinely and independently tested and we are confident that it is robust,"

"We are working with industry experts including the card processing companies to identify possible causes both inside and outside the control of CRC."

Does that mean the Credit Card data is stored in an encrypted form and is never transmitted across a network in the clear and that all end-to-end transactions are fully and irrevocable audited. Cause if none of this applies then the above robust statements are just so much arse-covering waffle.

Not the first time...

I suffered a similar fraud (mobile phone purchase & top up card) after buying from CRC 4 years ago, but the bank were unable to trace the source of the fraudulent transactions as I had used the card in several sites & locations over that period. I had suspicions about it being CRC but never got a response to emails sent to them. I just stopped buying from them altogether as a result.

The bank (HSBC) were great - they phoned me on Sunday morning to advise they thought the transactions were odd, and as soon as I stated I didn't recognise them they cancelled the transactions and sent a new card which arrived 2 days later.

Compare that to Lloyds who insisted that a fraudulent transaction I notified them of was genuine, even though it was a magazine sub to an address in Vietnam!! Took 7 letters and nearly 10 months to get them to accept it was fraud, and a further 3 letters to get them to close the account after I told them I'd never bank with them again.

title

Since that was 4 years ago, and this is a recent event, the chances of that having anything to do with CRC are minimal.

What did you expect them to do? They have lost of transactions a day, and lots of people get their cards ripped off every day, elementary statistics tells you that the two will coincide from time to time. Unless they get multiple reports they'll perfectly reasonably assume it was a coincidence.

Yes,

I have found HSBC are substantially more pro-active than most as well. They noticed that i was trying to withdraw money from a Bank in Halifax, minutes after buying something from a motor shop in London, and stopped my card instantly and phoned me on my mobile, Fortunately before they managed to empty my account.

I suspect my card had been skimmed at a festival a few months earlier.

Of course, HSBC appear to suck in a number of other ways instead, but fortuately not in ways that affected me so far. (Although they have affected family and friends)

re:what to do with the proceeds

What you do with the thousands of PAYG credit is:

1. Sell it via low cost overseas call booths - the high street outfits where people cram into tiny booths and pay cash to make calls at low cost

2. Use the several thousand free sim cards that the network gives out, top each one up with £30 and sell it for £10 with no questions asked. Repeat several hundred times and you've successfully laundered the proceeds of the test purchases.

The title is required, and must contain letters and/or digits.

I've never heard of the website - but I recently got 2 charges of £15 to O2 charged to my bank account. I have a mobile - but not on O2. Fortunately my bank's fraud trigger worked and prevented the payments going through after checking with me...

I haven't bought anything from this cycle website - so could it be a wider-based issue between several companies on the web? Although I have to say I'm not sure I'd even used the card that was compromised on the web...

Not necessarilly CRC

The card transactions probably aren't handled by CRC themselves, but on a third part server. As such you can bet that if the third party was hacked there will be other retailers involved too.

The reasons CRC were the first to be outed in a big way would be (a) cycling accounts for a huge amount of online spending (although every cyclist claims to support their local bike shop) and (b) cyclists seem to spend a disproportionate amount of time on forums rather than out on their bikes.

Your Point Being?

"Their own Ts and Cs position them to legally withhold your money with the need to produce no good of factual reason. Especially when you have enough in their for them to make some real interest from."

Nobody with any sense actually rests money in a Paypal account do they?

You don't need money in a paypal account to pay for things. You just transfer the money in there to pay for stuff. And Paypal are not going to refuse to make a payment when you do this because it's not in their interests, no matter what your paranoid little mind may tell you.

Block O2

O2 would make bloody sure they weren't target for fraudulent card purchases if the card clearers blocked ALL payments to O2 when this sort of thing happens. They would only have to do it once for O2 to make sure it never happens again.

@deviAnt Ostrich

You might want to read some comments above, it explains why people buy O2 top-up/credit. It is an easy way for them to work out if the debit/credit card is currently registered with an identity checking system (such as verified by visa). If you aren't they will go on a spending spree, if you are then it will be harder for them to use it/they might just discard the details/sell them on.

There are many ways someone could have got hold of your card details. You won't be affected by the breach at CRC as you haven't used them. You would have just fallen into the hands of another breach/keylogger/card cloning operation/phishing scam etc.

Coat, door...

Not necessarily software

While a software security issue may be involved, the possibility that an employee is doing this shouldn't be overlooked. The fact is that anyone with your card details and security number can make a deduction, and it need not relate to an actual purchase. The company should make a careful check of logs for anyone making unauthorised logins to the ecommerce software, or for issues like authorised staff leaving computers unattended with payment-handling software running.

I tend to prefer PayPal for buying online. That way, only one transaction is possible per purchase, and I determine the amount paid, not the seller.

I daresay there are security issues with PayPal too, but IMHO it's a safer system.

RE: @AC 22:03

"Why would a fraudster buy house insurance on your house in your name? Am I being thick, but I don't see what the tea leaf gets out of this."

I would love to know the answer to this one. I work for an online retailer, and we have a facility for customers to pay by direct debit. We do from time to time get fraudulent attempts, normally from the likes of Vietnam, africa and the likes. These are picked up and cancelled by our systems anyway.

We had an interesting scenario around 12 months ago. An attempt was made to place a DD order. We checked it out and it was fraud, so cancelled. We were then contacted by the police, who informed us that we should keep an eye out for a character who was setting up DDs. The bizarre thing was, this person was using the details of a guy who owned a B&B on the south coast.

Even stranger was that this frauster was taking out Building and Contents insurance on the B&B, also life insurance on the owner, and extra fire cover. The owner of the B&B was obviously quite worried that the place was going to get torched.

The really strange thing though was that the frauster was doing this all in the B&B owners name. So even if something did happen, the person who would benefit would be the owner. The fraudster would not benefit from anything?

The reason the police contacted us, and this is bizarre, is they told us they could do nothing about this unless some money actually changed hands. Up until now, all the attempted DDs had failed, so they could do nothing.

They didn't say this, but reading between the lines they were saying "please allow a transaction to go through and be setup, so we can then go after the guy".

'nailing the frauster'

Many years ago when I had a Barclaycard I started getting fraudulent transactions on it from America, immediately phoned Barclays when I discovered this to cancel the card but they practically refused, saying if they gave me a new card the any transactions put on the old card's number would automatically transfer to the new one, WTF?!

The fraudulent transactions continued to appear, Barclays told me to just notify them whenever it happened, I just wanted the card & account cancelled but they kept on telling me to report the fraudulent transactions presumably they wanted to catch the 'bad guys' but it didn't make me feel any better being the bait.

FIVE MONTHS it took to get them to finally cancel the card, I did receive all the money back but the time it took to cancel it was quite OTT, and this was the year when they had Stephen Fry in their adverts saying how Barclaycard was safe to use online... and the week it was finally cancelled the other two people in the house received Barclaycard pens and invitations to sign up to Barclaycard.

Needless to say, I've not signed up to another credit card from any bank since.

Credit Card Details not Held, apparently.

This statement appears in CRC Terms and Conditions under the heading "Credit Card Security"

"When your order is processed your encrypted credit card number is removed from the web server.

This means that there is no way that someone can obtain your credit card number from CRC so you can order with confidence!"

So assuming this is a true statement, the card number is encrypted wherever it is stored. It states "removed from Web Server" and not database, so I would make the wild assumption that maybe the number is stored in Session for the life cycle of the order processing, and once complete the session is wiped.

This leads me to believe, again assumptions galore, that the site uses a 3rd party payment provider, which they integrate with via an API. The card details are entered onto their site, and then communication with a 3rd party server takes place "in the background".

This should mean that they should comply with the highest level of PCI DSS as they are both storing (in session) the details and transmitting the details to another location for processing.

I personally never handle card details in ecommerce sites I have developed. Far better to offload the whole thing to a reputable payment service provider, via a hosted solution, so you never have to touch, store or see the details ever. If your systems never have that data, then you can never compromise that data.

However, I must add that if you do use a 3rd party provider, you still need to undergo PCI DSS and complete a Self Assessment, and you are responsible for verifying the PCI compliance level of your 3rd party provider.

But I ask the question. Why am I made to jump through all these PCI hoops, scans and checks, but when instances like this happen with big e-tailers, nothing ever seems to happen. I bet if something like this happened to the little guy, there would be many lashes received.

Not Happy

Another victim here. Purchased twice from CRC, once on the 4'th of March and secondly on the 7'th. Discovered CRC had been (and probably still is) compromised this morning while checking through my regular IT related forums, including TheReg. So 15 minutes later and an anxious trip to the ATM to discover two fraudulent transactions totalling 2.5k, both debited this morning.

Response to sad, lazy post

I've no idea what your point is? I wish I could walk down the pavement out side my house without having to avoid all of the ILLEGALLY driven and parked cars on the pavement.

" Used the road (badly and without any form of license) without paying for the privilege like all other road users. "

So who do you think pays for roads? How about my personal taxes, council tax, VAT etc which all contribute to the upkeep of roads. If you fire back and tell me it's paid for by 'road tax' I'll simply roll over and laugh at you for being completely stupid.

The standard of driving in this country is shockingly poor yet the idiots in tin boxes still bleat on claiming the moral highground even though they are no better, or possibly worse given the amount of innocent lives taken at the hands of drunk and inept motorists. (1 death attributed to cyclists in the past 10 years).

Every other point you've made applies to as many car drivers as cyclists.

@AC 18th March 2011 12:25 GMT

"Ooo look at me, I'm making jibes at cyclists because I'm a car driver who hates them getting in MY way on MY road, I'm so origina!"

*YAWN*

Get some new material.

For the record I still have my Cycling Proficiency badge from 25+ years ago, I do ride a night without lights sometimes (the advantages of being in the countryside where traffic seems to disappear in the early hours, it's nice being able to ride in the moonlight), there is one traffic light that doesn't see me so sometimes I do go through a red light but only when there are no other cars around, I do ride on pavements because it's often safer and I get off and walk when going past pedestrians.

Oh and pavements don't generally have huge potholes that can be quite dangerous to a cyclist travelling at speed, potholes caused by and made worse by cars etc.

Me again

Cyclists eh? Kuh eh? Kuh.

Ha. "(b) cyclists seem to spend a disproportionate amount of time on forums rather than out on their bikes."

That might be because after we've biked to work we have to sit in front of a computer for 8 hours before biking home to our families, probably getting home in the dark and certainly - for now at least - in the dark by the time we do get home. Check the discussions on any bike site and see how it's pretty lively through the working day, but drops enormously during the commute times and over the the weekends. A bit like El Reg in fact.

Still. Nothing like letting the facts get in the way of a gigantic sweeping statement that backs up your own biased views eh?

It's true though

I'm a cyclist and occasionally drop in on forums like Bikeradar when I need advice or to see if there's anything I can help out with. What amazes me is the number of people on such forums who seem to spend every waking hour on there. Trawl through these forums and you'll find load s of them. People with post counts you wouldn't believe who post at all hours of the day every day of the month. When are they actually cycling?

And as for the online spending that's true too. Every cyclist I meet tells me they support their LBS and yet all of them seem to shop online.